[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvirt-announce] [libvirt] LSN-2016-0001 - Authentication disabled when setting empty VNC password



On Fri, Jul 01, 2016 at 10:31:33AM +0100, Daniel P. Berrange wrote:
       Libvirt Security Notice: LSN-2016-0001
       ======================================

      Summary: Authentication disabled when setting empty VNC
               password
  Reported on: 20130531
 Published on: 20130531
     Fixed on: 20160630
  Reported by: Vivian Zhang <vivianzhang redhat com>
               Christoph Anton Mitterer <calestyo scientia net>
   Patched by: Jiri Denemar <jdenemar redhat com>
     See also: CVE-2016-5008

     Branch: v1.3.1-maint
  Broken in: v1.3.3.1
  Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
   Fixed by: 2d5370eba6b52f44cf832eba28f162c55331a47c

     Branch: v1.3.3-maint
  Broken in: v1.3.3.1
  Broken by: 9d73efdbe3ea61a13a11fdc24a2cb530eaa0b66f
   Fixed by: 881441f84a30cd3921df313a982f7162d7ca04f4


I just want to make sure my guess is right.  We don't have 1.3.2-maint
branch, so it wasn't back-ported there.  Does that mean we will never
need such branch, hence we're fine; or does it mean that we should add a
branch for the CVE fix just in case someone wants to back-port other fix
to 1.3.2 and creates it -- so that it is not vulnerable?

My guess is that we won't have 1.3.2 but we should rather be safe...

Martin

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]